On Aug 2, 2011, at 5:08 PM, Brzozowski, John wrote: > On 8/2/11 8:28 AM, "Keith Moore" <[email protected]> wrote: >> On Aug 2, 2011, at 4:22 AM, Philip Homburg wrote: >> >>> How do you construct a router such that the router always knows what it >>> has to do, or at least is in some sense fail-safe? >> >> The idea that a firewall should automatically know what "it has to do" >> strikes me as utterly bizarre. I realize that there's a desire to >> minimize the configuration burden for unsophisticated users (and agree >> with that), but the idea that the firewall knows better than the user >> what his security policy should be seems ridiculous. > [jjmb] I agree Keith that having a firewall automatically know what to do > is a tall order. I also think the is more than a desire to ease > configuration burden, this is a must since most users on the Internet have > very basic technical skills.
So, I agree with this point, but are we constraining our thinking too early? For example, if the assumption is there is a singular CPE-router/FW that has been allocated a /56 from a provider, then: - why couldn't the FW provide 'stateful firewall' service for the first 'covering' /60 of IPv6 prefixes (/64's) allocated within the house; - but, the CPE-router/FW would /NOT/ provide stateful or stateless firewall for the remaining 7/8's of address space allocated within the house. Of course, just change the 'mask' lengths to represent whatever the WG thinks are 'sensible' defaults. And, we'd need to decide if this is something a device in the home can 'dynamically' request from the CPE-router/FW via, say, DHCPv6 or if there are better options ... -shane >> >> A different idea is that the firewall always work in a very minimal mode >> by default (e.g. it passes no traffic, or maybe only outgoing port 80 >> traffic, but its configuration interface is enabled for the internal >> ports) so that the user must configure it in order to get it to do >> anything useful. That way, the first thing a user learns about his >> router/firewall is how to configure it. Then you want to focus on making >> the configuration interface easy to understand. (You also have to figure >> out how to keep the user from hooking up the internal port to the >> external connection.) > [jjmb] I said something similar to this is in an earlier email. To the > start there should perhaps be a basic configuration that protects the user > and allows the service to be usable. >> >> But these are user interface issues, not protocol issues. Perhaps >> they're better addressed in homenet than here. > [jjmb] I could image some protocol work that could ease the pain here, UI > for sure could facilitate ease of use. >> >> Keith >> >> _______________________________________________ >> v6ops mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/v6ops > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
